Threat Research

DAGON LOCKER Ransomware Being Distributed – ASEC BLOG

Securonix

DAGON Locker ransomware is being distributed in Korea, often via phishing emails, and operates as a ransomware-as-a-service with variable distribution strategies. It uses a memory-resident 64-bit EXE and employs strong encryption with ChaCha20 and RSA-2048, while also enforcing targeted scope via execution arguments. #DAGON #MountLocker #Quantum #AhnLab #AhnLabTIP #ChaCha20 #RSA2048

Keypoints

  • DAGON is distributed in Korea and commonly spread through phishing emails or email attachments, reflecting its ransomware-as-a-service nature.
  • The core code runs as a 64-bit EXE loaded from memory and shows version information like “Ver 5.1 x64,” with similarities to MountLocker and Quantum.
  • Files are encrypted with ChaCha20 (using RSA-2048 for the key) and renamed to “*.dagoned,” with extensive exclusion lists for paths and extensions.
  • Encryption scope can be controlled via execution arguments (eg, “/LOGIN=”, “/PASSWORD=”), and some variants may run with no additional arguments.
  • The malware terminates certain Windows services and processes to hinder detection, including security-related tools and monitoring processes.
  • It saves system information and encryption history to a local .log file (unless /NOLOG is used), capturing details like processor count, user names, and encryption statistics.
  • Volume shadow copies are not deleted, which is noted as a behavior not observed in this sample.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – DAGON is distributed via phishing emails or attachments. “DAGON is commonly distributed through phishing mails or as an attachment to emails.”
  • [T1486] Data Encrypted for Impact – Encrypts files (ChaCha20 with RSA-2048) and renames them to *.dagoned. “Encrypts all files except certain paths and file extensions before changing them to filenames in the format of ‘*.dagoned’” and “uses the ChaCha20 encryption method for file encryption, and uses the RSA-2048 encryption key for the process.”
  • [T1059.003] Command and Scripting Interpreter – Uses GetCommandLineW to read transmitted execution arguments to adjust encryption scope. “The GetCommandLineW function is used to check the transmitted execution argument. After checking for the existence of a valid argument, the scope of ransomware encryption is limited or expanded.”
  • [T1057] Process Discovery – Enumerates running services and processes to identify targets for termination. “DAGON looks up Windows services that are validly (SERVICE_ACTIVE) running as a process (SERVICE_32) in the system using the EnumServiceStatus function. If three particular pattern names are present in the service name, that service is terminated.”
  • [T1562.001] Impair Defenses – Terminates security tools and monitoring processes to hinder detection. “Processes to be terminated include malware behavior monitoring processes such as “agntsvc.exe”… and any of them corresponding to the malware’s list of 49 processes are also terminated.”
  • [T1082] System Information Discovery – Collects and logs system information; “User system information: Number of processors, Windows version, username, PC name, group account, etc.”
  • [T1005] Data from Local System – Saves system info, termination lists, and encryption history to a local .log file. “If no separate /NOLOG execution argument is given, the user system information, file operation processes, and all encryption history logs are saved into a ‘.log’ file in the same path.”

Indicators of Compromise

  • [MD5] File hashes – 48177ece3ebdee2faf8227e52e608562, 81a757ac559ae73229992d4b533338c3
  • [File Extension] Encrypted files end with .dagoned
  • [Filename] Ransom note file – README_TO_DECRYPT.html

Read more: https://asec.ahnlab.com/en/42037/